Edward Felten, a computer science professor at Princeton University, said that while SunnComm and Sony BMG offer a tool that allows users to completely uninstall the program, the uninstaller also opens the computer up to extremely serious security problems, much like the uninstaller for First4Internet's infamous copy-protection program.

From Felten's post: "When you visit the SunnComm uninstaller web page, you are prompted to accept a small software component -- an ActiveX control called AxWebRemoveCtrl created by SunnComm. This control has a design flaw that allows any Web site to cause it to download and execute code from an arbitrary URL.

"If you've used the SunnComm uninstaller, the vulnerable AxWebRemoveCtrl component is still on your computer, and if you later visit an evil Web site, the site can use the flawed control to silently download, install and run any software code it likes on your computer. The evil site could use this ability to cause severe damage, such as adding your PC to a botnet or erasing your hard disk."

Felten said you can tell whether the vulnerable control is installed on your computer by using a tool he developed: the "AxWebRemoveCtrl detector." More details are avaiable at his blog, Freedom-to-Tinker.com. A note of caution from Felten, however:

"Unfortunately, if you use our tool to block the control, you won't be able to use SunnComm's current uninstaller to remove their software. It's up to them to replace the flawed uninstaller with a safe one as soon as possible, and to contact those who have already used the vulnerable uninstaller with instructions for closing the hole."

Great, so now we're waiting for a safe uninstall tool from both Sonyand SunnComm? (By the way, if anyone can help me out with a list of CDs protected by SunnComm software, I'd be much obliged.)

After the whole Sony BMG fiasco originally broke, lots of smart people were saying it could be the death knell for DRM technologies. I was not so convinced of that at the time, but as each passing day brings more revelations about how poorly designed these products are, I am beginning to come around to that opinion myself.

DRM from Sony is just the tip of the ice berg. Sony's new Blu-Ray technology incorporates yet to be disclosed DRM technologies and there is no immediate sign that it will be reviewed and removed form this new specification.

Hey guys. Thanks for reading and for contributing to this post. But please don't post any more links or lists that relate to CDs using the Sony-licensed XCP (First4Internet) technology. That's not what this entry is about. What I really want to know is if anyone has information about which Sony titles are affected by SunnComm's DRM.

You're absolutely right this story shouldn't go away; there's reports now that the First4Internet / XCP software also contained LGPL and GPL'd code. The best part is that not only is it GPL code, it's the code to remove copy protection from iTunes music files. So, besides ethical transgressions, they broke copyright law and violated the Digital Millenium Copyright Act.

Brian:
One disc I own has SunnComm on it - "Howl" by Black Rebel Motorcycle Club (RCA/BMG). Good luck with your investigations. Sony should offer to exchange or offer a refund for ALL copy-protected discs.

Anybody know if disabling the windows cd/dvd-rom autorun functionality (either permanently via the registry or temporarily via the shift key) prevents any or all of these emerging Sony viruses from being able to surreptitiously infect ones computer off the infected cd?

"...as each passing day brings more revelations about how poorly designed these products are, I am beginning to come around to that opinion myself."

In a lot of ways, this is just like the situation with Windows where functionality was foremost in the mind of the designer and security was never a consideration.

do you think that Sony/BMG ever asked the question, "will there be any issues to the user when they put this cd into their computer?"

absolutely not, the only question that Sony asked was "how many times will the user be able to copy a CD".

i am not making an argument pro or against the digital copyright technology. what i do find interesting is that in all the bills that have come before congress to legislate this matter (in particular the DCMA), there was never any consumer rights in the equation at all. it all came down to how to protect the intellectual property owners.

i guess that is the general case with all computer products. since there is no governance over even operating systems, why should there be for this medium. however, in most cases, you take on the risk yourself by clicking the licensing agreement.

final thought in the matter...though Sony is taking all the heat in this matter, sony is probably going to turn around and sue the developer of this software product for the financial losses that occur to Sony due to the defect. that includes the cost of recalling the shipment, loss of products. i don't know who i feel worse for: the big boy sony or the little guy who decided to install a root kit on the end user's machine.

This is the one that LOADS INTO A WINDOWS PC WITHOUT ASKING whenever you insert the DRM-afflicted CD into the PC.

It then pops up a window that offers the (exact) same EULA as is offerred with the F4I XCP rootkit malware that is on other Sony CDs, the EULA that says that the software will not be installed if the user declines the EULA. In this case the EULA lies.

The Sunncomm malware is already INSTALLED and RUNNING on your PC.

Megabytes of malware are already at home and at work in your PC even as you read the EULA, crippling your CD drive access at the kernel level and interfering with any multimedia software... and if you decline the EULA and remove the CD from your PC the Sunncomm malware is LEFT installed and running.

If you are so trusting as to actually accept the EULA then the malware is tucked away in the Windows system registry to start everytime you turn on your PC.

What is wrong with Sony? Are they
incapable of learning from prior
transgressions? Or; perhaps Sony has
institutionalized a culture where:

- Air-play payola is not wrong.
- Forging movie reviews, is not wrong.
- Rootkits are not wrong.
- Infringing on the copyrights of others, is not wrong.
- Serial lying by executives, is not wrong.

Do Sony's wilfull decisions simply represent their attempt to gain an
unfair advantage? Or; perhaps Sony is simply running in-place and trying to keep up with their competition ... the industry dullard playing the game so poorly that they are simply the first to be apprehended?

Sony began all this in March. Why did the anti-virus industry not find Sony's rootkit? Did Sony collude with the anti-virus industry so that their rootkit would not be reported? (As C|net reported, but has subsequently yanked. The article names Symantec ... and lives in the Google cache.)

Thanks for getting attention onto the bigger problem of Sony/Sunncomm. As the posts show this is already much more "in the wild" than XCP: about 250 different albums, if we exclude Canadian versions as double counting.

Two points: can we Mac users stop being so smug (we're not so stupid as to load this!). This is in effect a social engineering malware exploit, and many, particulary new generation, iPod halo, Mac users will see little odd in a request from a major and respected company to load a little program or two to allow them to access (possibly some additional clever tracks) on their new CD - which of course isn't a CD, but journalists keep referring to them as CDs for some reason. We need to know precisely what it does to Macs as well: I don't like the idea of someone messing at kernel level.

Second, Amazon seems to have picked up on the downside risk of all this to retailers, with a full refund offer, and in most cases the fact that these as not standard CDs is explicit on Amazon. Not so in your local CD store, as far as I am aware. How about a campiagn to force bricks and mortar retailers to sell these non-CDs in separate, clearly labelled racks. There is a basic level consumer protection issue here.

Thanks for getting attention onto the bigger problem of Sony/Sunncomm. As the posts show this is already much more "in the wild" than XCP: about 250 different albums, if we exclude Canadian versions as double counting.

Two points: can we Mac users stop being so smug (we're not so stupid as to load this!). This is in effect a social engineering malware exploit, and many, particulary new generation, iPod halo, Mac users will see little odd in a request from a major and respected company to load a little program or two to allow them to access (possibly some additional clever tracks) on their new CD - which of course isn't a CD, but journalists keep referring to them as CDs for some reason. We need to know precisely what it does to Macs as well: I don't like the idea of someone messing at kernel level.

Second, Amazon seems to have picked up on the downside risk of all this to retailers, with a full refund offer, and in most cases the fact that these as not standard CDs is explicit on Amazon. Not so in your local CD store, as far as I am aware. How about a campiagn to force bricks and mortar retailers to sell these non-CDs in separate, clearly labelled racks. There is a basic level consumer protection issue here.

"But for some strange reason, they didn't do a version to run on Macs, when even Linux was targeted."

No, no... you're not supposed to smoke that worm in the bottle ;)

Linux was not targeted.

Macintosh malware, however, IS included in the Sunncomm Mediamax DRM. It's just that this "Mac-enhanced content" is not automatically shoved down the users throat... tho no doubt Sony would if they could.

The current Sony-sponsored Mac-oriented malware in the Sunncomm Mediax DRM installs new kernel extensions into your Mac if you're... unbright... enough to give it permission.

... our own little soap opera, brought to you by Sony/BMG/F4I ... every day for the past 2 weeks I've tuned in to see the latest antics by those crafty little cretins, and I have to say, if they'd replace Thomas Hesse with Susan Lucci, their ratings would go way up ! ...

... This is a self-inflicted wound on their part, but we may as well rub a little salt in it, while it's still festering ...

... I doubt First4Internet will be doing a lot of business this Holiday Season, but I really hope that they find some Copyright Lawsuits under their tree, and they really should be banned from writing, stealing and releasing code until they learn how ...

... I empathize with the Artists that continue to get the candy-cane shaft from Sony/BMG, but I'd love to see a noticeable drop in disc sales this Shopping Season, at the very least a drop in Copy-Protected discs (and someone should start keeping track of that stat, maybe a wise retailer or two) ...

... and here's hoping that, in another week or two, as the first wave of outrage starts to ebb, that someone/anyone from Sony/BMG will step up and, in their grand tradition, [b]Say Something Else Really Stupid[/b] to fan the embers and keep the P R train rollin' ... based on past performance I have every confidence they will ...

... tell your friends and family to speak up with their Holiday wallets - there are a LOT of choices this year that WON'T trash your computer ...

... our own little soap opera, brought to you by Sony/BMG/F4I ... every day for the past 2 weeks I've tuned in to see the latest antics by those crafty little cretins, and I have to say, if they'd replace Thomas Hesse with Susan Lucci, their ratings would go way up ! ...

... This is a self-inflicted wound on their part, but we may as well rub a little salt in it, while it's still festering ...

... I doubt First4Internet will be doing a lot of business this Holiday Season, but I really hope that they find some Copyright Lawsuits under their tree, and they really should be banned from writing, stealing and releasing code until they learn how ...

... I empathize with the Artists that continue to get the candy-cane shaft from Sony/BMG, but I'd love to see a noticeable drop in disc sales this Shopping Season, at the very least a drop in Copy-Protected discs (and someone should start keeping track of that stat, maybe a wise retailer or two) ...

... and here's hoping that, in another week or two, as the first wave of outrage starts to ebb, that someone/anyone from Sony/BMG will step up and, in their grand tradition, [b]Say Something Else Really Stupid[/b] to fan the embers and keep the P R train rollin' ... based on past performance I have every confidence they will ...

... tell your friends and family to speak up with their Holiday wallets - there are a LOT of choices this year that WON'T trash your computer ...

The companies that have come down on the side of the new Blu-Ray technology should really examine their position. They might find themselves defending themselves from some future transgression. It seems that many CEOs are not able to understand the technology behind these things and their far-reaching influences.
It's almost enough to send me back to the movie theaters, except that they will bore me with their endless trailers and local advertisements. Everything is being done for money or "for the stackholders" which is really saying the same thing.

The installation of Real's Rhapsody requires that the user disable their firewall for an extended period of time.

The installation software instructs users to disable their firewall during installation. I did so, but installation repeatedly stalled at the "Downloading and Installing Components" stage. I suppose if I kept my firewall disabled for three hours, Rhapsody might have eventually installed, but I was not willing to do that. As it was, I kept my firewall disabled for about 30 minutes, and Rhapsody never installed. (Installation stopped at around 85%)